“Pavlovian password management” aims to change sloppy habits

Policy would reward or penalize people based on the passwords they pick.

For more than a decade, the virtues of strong passwords have been lost on most end users, despite frequent sermons from security experts and IT administrators over their importance in locking down accounts. Now, a consultant is proposing a system that provides rewards or penalties based on the passcode choices people make.

For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months.

"We spend a lot of time telling the user to 'do this because security experts advise it, or it's part of our policy' but we don't really provide an incentive or an understanding of why we tell them to do this," James wrote in a blog post laying out the idea for what he dubs "Pavlovian password management." "Well humans are programmable, and the best way to see the human brain is to look at it like a Bayesian network. It requires training for it to adapt to change and repeated consistent data to be provided."

Further Reading

University relaxes hated character complexity as password length increases.

James' system makes certain assumptions about the difficulty, cost, and time involved in cracking various passwords. As Ars has noted before, many metrics for grading password strength are woefully out of step with modern crackers. James' assumptions about the relative strength of "test123@#" versus "t3st123@33$x" may or may not stand up to many assessments, but that's not the point here. His system is about using the results of whatever grading system is adopted to reward or penalize the end user. Over time, users will gradually internalize the values of good password hygiene, he posits.

The Pavlovian password policy comes a few weeks after engineers at Stanford unveiled a new password policy that shuns one-size-fits-all security. It's similar to the system James proposes because it requires users to include numbers and special characters only when choosing shorter passwords. Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters.